Enable Oracle Fusion Applications Cloud Service Federation and OAuth Trust with Oracle Identity Cloud Service

You can set up Oracle Fusion Applications Cloud Service to enable single sign-on (SSO) by federating with Oracle Identity Cloud Service. Once your Oracle Fusion Applications Cloud Service is federated with Oracle Identity Cloud Service, you can configure an OAuth trust relationship to enable OAuth 2.0 functionality between your PaaS and SaaS applications

The steps for enabling federation depend on which of the following scenarios match your situation:

  • With Oracle Fusion Applications Cloud Service as the identity provider (IDP) and Oracle Identity Cloud Service as a service provider (SP), your user names, passwords, and other user account information are managed in Oracle Fusion Applications Cloud Service, and synchronized to your Oracle PaaS Oracle Identity Cloud Service instance.

  • With Oracle Identity Cloud Service as the IDP and Oracle Fusion Applications Cloud Service as an SP, you can manage your user names, passwords, and other user account information from your Oracle PaaS Oracle Identity Cloud Service instance and synchronize them to your Oracle Fusion Applications Cloud Service instance. Or, you can create and manage users in Oracle Fusion Applications Cloud Service and synchronize them to your Oracle Identity Cloud Service instance.

Download a Copy of Your Oracle Identity Cloud Service Tenant Signing Certificate

Obtain a copy of your Oracle Identity Cloud Service Tenant Signing Certificate, including the Root Certificate Authority (RCA) and issuer name.

  1. In the Oracle Identity Cloud Service console, select the Settings tab and enable Access Signing Certificate. (It may already be enabled. You can disable the Access Signing Certificate control after you obtain the certificate.)
  2. Download the certificate data from this URL:
    https://<IDENTITY CLOUD SERVICE HOST>/admin/v1/SigningCert/jwk

    The response includes two certificates, separated by a comma.

  3. Create two certificate files, idcs.cert and idcs_ca.cert, for the certificates in the response. Copy the data from each certificate paste it into the text files between the -----BEGIN CERTIFICATE----- headers and -----END CERTIFICATE----- footers.
  4. Get the issuer name and token endpoint from https://IDCS instance host/.well-known/idcs-configuration. Open the URL and copy the issuer value and token_endpoint value.
You’ll include the certificate files when you file a service request, later in this process.

Enable Federation with Oracle Identity Cloud Service as Service Provider

You can enable federation with Oracle Identity Cloud Service as the service provider, and set up OAuth trust with Oracle Fusion Applications Cloud Service.

Configure a New Identity Provider in Oracle Identity Cloud Service

Use the Oracle Identity Cloud Service console to add and configure a new identity provider.

Before you get started, download the SAML 2.0 identity provider metadata from your Oracle Fusion Applications Cloud Service identity provider and save it as an xml file. For example, download the metadata from https://<identity domain>.login.<data center>.oraclecloud.com/fed/idp/metadata and save it as FA-IdP-metadata.xml.

  1. Sign in to the Oracle Identity Cloud Service console.
  2. Select the Security tab. In the side navigation bar, select Identity Providers.
  3. Click Add SAML IDP.
  4. In the Details pane, enter a name and description for the Oracle Fusion Applications Cloud Service identity provider, and click Next.
  5. In the Configure pane, select Import Identity Provider metadata, upload the SAML 2.0 identity provider metadata xml file, and click Next.
  6. In the Map pane, set the following settings:
    • Set Identity Provider User Attribute to Name ID.

    • Set Oracle Identity Cloud Service User Attribute to Username.

    • Set Requested NameID Format to Unspecified.

    Oracle Identity Cloud Service adds and deactivates the identity provider. You need to export metadata for the identity provider, which you will provide to Oracle later in this procedure. The wizard has the Export, Test, and Activate panes.
  7. In the Export pane, click Download, and save the Metadata.xml file.
    Don’t test or activate the new identity provider yet. It won’t work until Oracle configures your instance of Oracle Fusion Applications Cloud Service.
  8. Click Finish.
The new identity provider is appears in the Identity Providers panel. Do not turn on the Activate Federated SSO control yet.

Create an Oracle Identity Cloud Service OAuth Resource and Client

Create an Oracle Identity Cloud Service application to define the OAuth resource and OAuth client relationships. This Oracle Identity Cloud Service application can be configured as an OAuth resource server for accessing data resources using OAuth. You can choose to limit which data resources applications are permitted to access.

To set up OAuth, you need to create a new Oracle Identity Cloud Service application.

  1. In the Oracle Identity Cloud Service console, select the Application tab, click Add, and then in the Add Application window, select Trusted Application.
  2. On the Details page of the Add Trusted Application wizard, give the new application a name. If you want, set other values such as description and tags. Click Next.
  3. On the Client page, select Configure this application as a client now.
    Additional options appear on the page. Set the following values:
    • Allowed Grant Types: Client Credentials and JWT Assertion.

    • Redirect URL: Enter a Redirect URL for the user to be sent after authentication, such as the Oracle SaaS application home page.
    • Client Type: Select the Confidential option.
  4. On the Resources page, select Configure this application as a resource server now.
    Additional options appear on the page.
  5. Set the following values:
    • Primary Audience: <your Oracle Fusion Applications Cloud Service REST API host name>.
    • Allowed Scopes: Click Add, and create a scope with the value /. Check the Requires Consent box.
  6. Click Next, and on the Authorization page, click Finish to save the application.
    An “Application Added” notification is shown. Make a copy of the Client ID and Client Secret: you’ll need to provide them to Oracle Support later. If you need them later, the Client ID and Client Secret also appear on the Configuration tab in the Details section for the application.
  7. With the app created and saved, select the Configuration tab, and expand the Client Configuration section. In the Accessing APIs from Other Applications section, under Allowed Scopes, click Add. In the Add Scope dialog, add one or more Resources. You can check the box for a resource to add all of its scopes, or click the right arrow for a given resource to select individual scopes. You can check the box for the whole app to add all resources. Click the Add button. Click Save to save your changes.
    As you add scopes, they are listed by application and allowed scope in the Allowed Scopes area. You can select a scope in this area and click the Remove button to remove it.
  8. To activate the application, from the Oracle Identity Cloud Service console, select Applications, and select the application. Click the Activate button to the right of the application name.

File a Service Request with My Oracle Support to Configure Oracle Fusion Applications Cloud Service

Oracle Support will configure your instance of Oracle Fusion Applications Cloud Service as an identity provider and set up OAuth.

  1. File a service request with Oracle Support. Include the following information in your service request:
    • Your Oracle Identity Cloud Service service provider Metadata.xml file, which you got earlier.
    • The Name ID format value: Unspecified
    • The Name ID value: uid
    • The Oracle Identity Cloud Service Tenant Signing Certificate, including the Root Certificate Authority and Issuer Name, that you got earlier.
    • The Oracle Fusion Applications Cloud Service service name and identity domain name
    • The client ID and client secret from your trusted OAuth application.
  2. Monitor your support ticket and provide any additional information requested by Oracle Support.
Oracle Support will add your Oracle Identity Cloud Service as a Service Provider partner, and set up Issuer Trust (to enable OAuth). Oracle Support will notify you when the task is complete, and send you a copy of your Oracle Fusion Applications Cloud Service OWSM signing certificate. You’ll need the signing certificate for the next procedure.

Update Your Oracle Fusion Applications Cloud Service OAuth Trusted Client

In Oracle Identity Cloud Service, update the Oracle Fusion Applications Cloud Service OAuth trusted client application that you created earlier to add the OWSM certificate provided by Oracle Support.

  1. In the Oracle Identity Cloud Service console, select the Application tab, and select the OAuth trusted client application that you created earlier.
  2. Expand the Client Configuration section.
  3. Select the Security check box for Trusted Client.
  4. Next to the Security control, click Import to import the Oracle Fusion Applications Cloud Service OWSM signing certificate you received from Oracle Support.
  5. Click Save.
    To activate the application, from the Oracle Identity Cloud Service console, select Applications, and select the application. Click the Activate button to the right of the application name.
Next, you should test the application before activating federation.

Test and Activate Federation

Test whether the identity provider is correctly configured, and then activate federation. If you want, you can enable SSO.

  1. In the Oracle Identity Cloud Service console, select the Security tab. In the side navigation bar, select Identity Providers.
  2. In the Identity Providers panel, in the Oracle Fusion Applications Cloud Service identity provider Action menu, click Test.
    If the identity provider is correctly configured, the Oracle Fusion Applications Cloud Service login page loads in a new tab or window.
  3. Enable the setting Activate Login Chooser to show the identity provider on the login page. If you want, you can leave this setting turned off to support embedded applications and other mash-up use cases.
  4. Activate the identity provider by opening the menu and selecting Activate.
  5. If you want, enable SSO by turning on the Activate Federated SSO control.

Enable Federation with Oracle Identity Cloud Service as Identity Provider

You can enable federation with Oracle Identity Cloud Service as the identity provider, and set up OAuth trust with Oracle Fusion Applications Cloud Service.

Create an Oracle Fusion Application in Oracle Identity Cloud Service

Create a new Oracle Fusion application in Oracle Identity Cloud Service to manage SSO and user provisioning between your Oracle Fusion Applications Cloud Service service provider and Oracle Identity Cloud Service

Before you get started:

  • Download the SAML 2.0 identity provider metadata from your Oracle Identity Cloud Service identity provider and save it as an xml file. For example, download the metadata from https://service instance.identity.oraclecloud.com/fed/v1/metadata and save it as IDCS-IdP-metadata.xml.

  • Obtain the tenant name and domain name from the environment URL of Oracle Fusion Applications Cloud Service. For example, if your environment URL is https://eeho.hcm.us2.oraclecloud.com/hcmCore, eeho is the tenant name and us2.oraclecloud.com is the domain name.

  1. Sign in to the Oracle Identity Cloud Service console.
  2. Create a new application by selecting the Applications tab, and then clicking Add.
  3. In the Application wizard, click App Catalog.
  4. Search for Oracle Fusion Applications, and then click Add. In Oracle Fusion Applications Cloud Service Release 12, the template is named Oracle Fusion Applications. In Release 13, the template is named Oracle Fusion Applications Release 13. Select the correct template name for your release.
  5. In the App Details section, enter the tenant name and the domain Name.
  6. By default, all Oracle Fusion Applications Cloud Service sub-apps are selected. Clear the sub-apps that aren't required, and then click Next. You should only select the sub-apps for which you have a license.
  7. Obtain your Oracle Fusion Applications Cloud Service service provider metadata by navigating to the following URL:
    https://<identity domain>.login.data center.oraclecloud.com/oamfed/sp/metadata
  8. Locate the entityID XML attribute, contained in the EntityDescriptor XML element. For example, <md:EntityDescriptor ID="id-6wBqfqu3lAOooHG3n666jh0vgqM-"  entityID="https://mydomain.login.us2.oraclecloud.com/oam/fed/idp" ... />
  9. In the App Details section of the Application wizard, enter the Entity Id that you just obtained.
  10. Create an X.509 signing certificate from the Service Provider metadata. Locate <dsig:X509Certificate> under <md:KeyDescriptor use="signing">. Copy the value between <dsig:X509Certificate> and </dsig:X509Certificate> to a text file. Add -----BEGIN CERTIFICATE----- at the beginning of the file, and -----END CERTIFICATE----- at the end of the file. Save and change the file extension to .cer. For example:
    -----BEGIN CERTIFICATE-----
    MIICVTCCAb6gAwIBAgI.....
    -----END CERTIFICATE-----
  11. In the Application wizard, click Upload, locate the signing certificate that you created, and then click Open.
  12. Click Finish. Don’t activate the application yet.
  13. If you intend to synchronize users provisioned in Oracle Fusion Applications Cloud Service to Oracle Identity Cloud Service, under SSO Configuration, select Authentication & Authorization, and de-select (un-check) the Authorization check box. Then click Save.
Next, you need to set up an OAuth resource and client.

Create an Oracle Identity Cloud Service OAuth Resource and Client

Create an Oracle Identity Cloud Service application to define the OAuth resource and OAuth client relationships.

To set up OAuth, you need to create a new Oracle Identity Cloud Service application.

  1. In the Oracle Identity Cloud Service console, select the Application tab, click Add, and then in the Add Application window, select Trusted Application.
  2. On the Details page of the Add Trusted Application wizard, give the new application a name. If you want, set other values such as description and tags. Click Next.
  3. On the Client page, select Configure this application as a client now.
    Additional options appear on the page. Set the following values:
    • Allowed Grant Types: Client Credentials and JWT Assertion.

      Additionally, if this OAuth client will be used for the ESS Sync Job from Oracle Fusion Applications Cloud Service, add the User Administrator app role.

    • Security: leave the Trusted Client check box unchecked for now.
  4. On the Resources page, select Configure this application as a resource server now.
    Additional options appear on the page.
  5. Set the following values:
    • Primary Audience: Your service provider host. For example, https://service name.crm.data center.domain.com
    • Allowed Scopes: Click Add, and create a scope with the value /. Check the Requires Consent box.
  6. Click Next, and on the Authorization page, click Finish to save the application.
    An “Application Added” notification is shown. Make a copy of the client ID and client secret: you’ll need to provide them to Oracle Support later. If you need them later, the client ID and client secret also appear on the Configuration tab in the Details section for the application.
  7. With the app created and saved, select the Configuration tab, and expand the Client Configuration section. In the Accessing APIs from Other Applications section, under Allowed Scopes, click Add. In the Add Scope dialog, add one or more Resources. You can check the box for a resource to add all of its scopes, or click the right arrow for a given resource to select individual scopes. You can check the box for the whole app to add all resources. Click the Add button. Click Save to save your changes.
    As you add scopes, they are listed by application and allowed scope in the Allowed Scopes area. You can select a scope in this area and click the Remove button to remove it.
  8. To activate the application, from the Oracle Identity Cloud Service console, select Applications, and select the application. Click the Activate button to the right of the application name.

File a Service Request with My Oracle Support to Configure Oracle Identity Cloud Service

Oracle Support will configure your instance of Oracle Identity Cloud Service as an identity provider.

  1. File a service request with Oracle Support. Include the following information in your service request:
    • Your Oracle Fusion Applications Cloud Service service name, Identity Domain, and data center.
    • The identity provider metadata XML file.
    • The Oracle Identity Cloud Service Tenant Signing Certificate, including the Root Certificate Authority and issuer name.
    • The Oracle Identity Cloud Service Issuer and token endpoint.
    • The client ID and client secret for the OAuth trusted client you created.
    • Indicate that Oracle Fusion Applications Cloud Service user ID will be used for single sgn-on (SSO).
  2. Monitor your support ticket and provide any additional information requested by Oracle Support.
Oracle Support will add your Oracle Identity Cloud Service as an Identity Provider to your Oracle Fusion Applications Cloud Service, and set up Issuer Trust (to enable OAuth). Oracle Support will notify you when the task is complete, and send you a copy of your Oracle Fusion Applications Cloud Service OWSM signing certificate. You’ll need the signing certificate for the next procedure.

Test and Activate SSO

Enable the Oracle Fusion Applications client, and then test and activate SSO.

  1. In the Oracle Identity Cloud Service console, select the Application tab, and select the Oracle Fusion Applications client that you created in Step 3.
  2. Click Activate, and then click Activate Application.
  3. Test SSO by navigating to the Oracle Identity Cloud Service My Apps page (https://<Oracle Identity Cloud Service hostname>/ui/v1/myconsole). Click the Oracle Fusion Applications Cloud Service icon and make sure that SSO is working. If the icon is not present, the application was not granted to the current user account.
    In some cases, such as when user accounts were created in Oracle Fusion Applications Cloud Service and then synchronized to Oracle Identity Cloud Service, the app may not be available on the My Apps page. If your users do not see the applications under My Apps, you can directly access the app URL and observe that it will federate by redirecting to the Oracle Identity Cloud Service login page. Provide the Oracle Fusion Applications Cloud Service URL to your users for them to access directly.
Next, upload the OWSM certificate that you got from Oracle Support to the OAuth trusted client.

Update Your Oracle Fusion Applications Cloud Service OAuth Trusted Client

In Oracle Identity Cloud Service, update the Oracle Fusion Applications Cloud Service OAuth trusted client application that you created earlier to add the OWSM certificate provided by Oracle Support.

  1. In the Oracle Identity Cloud Service console, select the Application tab, and select the OAuth trusted client application that you created earlier.
  2. Expand the Client Configuration section.
  3. Select the Security check box for Trusted Client.
  4. Next to the Security control, click Import to import the Oracle Fusion Applications Cloud Service OWSM signing certificate you received from Oracle Support.
  5. Click Save.
  6. To activate the application, from the Oracle Identity Cloud Service console, select Applications, and select the application. Click the Activate button to the right of the application name.